{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "versions": [
              {
                "introduced": "0"
              },
              {
                "last_affected": "2.2.1"
              }
            ]
          },
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "babea82ef558c4b4dc685fd4ca677de1f0a7ee8f"
            },
            {
              "fixed": "f5fd029660034d31833ff1d2620bb82d1c1618af"
            }
          ],
          "repo": "https://github.com/grafana/loki",
          "type": "GIT"
        }
      ]
    }
  ],
  "details": "An issue was discovered in Grafana Loki through 2.2.1. The header value X-Scope-OrgID is used to construct file paths for rules files, and if crafted to conduct directory traversal such as ae ../../sensitive/path/in/deployment pathname, then Loki will attempt to parse a rules file at that location and include some of the contents in the error message.",
  "id": "CVE-2021-36156",
  "modified": "2026-03-13T21:54:00.574251496Z",
  "published": "2021-08-03T15:15:08.623Z",
  "references": [
    {
      "type": "REPORT",
      "url": "https://github.com/grafana/loki/pull/4020#issue-694377133"
    },
    {
      "type": "FIX",
      "url": "https://github.com/grafana/loki/releases/tag/v2.3.0"
    }
  ],
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}